System Menu 4.2

Yeah, NUSD would probably be better. It's impossible (for me at least) to remember the memory addresses of what you have to change, but the strncmp/memcmp verification is in the place at the same address in every WAD. Look at the source of an app that patches IOSs to figure out where.

(There are better people to ask about this then me)

And you do it to the WAD, not the unpacked IOS? Then just install with WAD Manager?

You might have to unpack it beforehand. Again, there are better people to talk to then myself about this.

Back on topic.... i would love to see a channel from team twiizers that allows us to download legal themes and apply them. (like winterboard for the iPhone)
also a game patcher would be nice.

That's not really on topic...the topic was about official updates. But anyway, that stuff would be pretty cool, but I don't really see why there needs to be a channel for themes. Why not just a HBC app? It's not like it needs quick access or anything. Personally I'd like to see Almeda (HBC Banner Tools) released, and an easy custom channel creation tool, that's legal, by Team Twiizers.

well i was talking about an official game patcher.... but yeah i guess a theming app would be great

just a quick question about the boot2 signature. Shouldn't it be possible with a dump of boot0, boot1, and boot2, along with the OTP mem, to find the keys? or are they one of the things that's encrypted using an RSA algorithm?

The keys are included in a nand dump (via BootMii). They're the first (16?) bytes. View them in hex format to make them compatible with Betwiin.

Also, boot0 is hidden on a small ROM next to the starlet coprocessor. Good luck dumping that.

See next post by me



Edited 1 time(s). Last edit at 08/14/2009 11:06PM by Arikado.

I think he means finding the key reqired to sign BootMii boot2 to allow installation on those Wiis with a fixed boot1. But this is illegal, because it is using Nintendo's signature. Its like forging a signature in real life, on a cheque or statement or something. That's why there must be an exploit, like the trucha bug, in boot1 for it to be legally done.

Having boot0 to 2 doesn't change anything, because it is well know what they do, and they hide no secrets.

Quote
Arikado
They're the first (16?) bytes.

Aren't it the last bytes?

Did some research...

Keys are the last 1024 bytes (1 kilobyte) of a BootMii NAND dump (nand.bin file)

Quote
SifJar
I think he means finding the key reqired to sign BootMii boot2 to allow installation on those Wiis with a fixed boot1. But this is illegal, because it is using Nintendo's signature. Its like forging a signature in real life, on a cheque or statement or something. That's why there must be an exploit, like the trucha bug, in boot1 for it to be legally done.

Yeah, I guess I didn't think of it in those terms. Basically, what you're saying is it can be done, but we couldn't legally distribute Bootmii in that manner because how it is installed/signed would be illegal, so it's pointless to do it, we just need an exploit of some kind so we can do it legally

Precisely. Now obviously trucha bug is what is currently used, but seeing as how that's fixed, someone would have to find a new bug, which would let us do something similar, which was present in all current boot1 versions. Then Nintendo would patch it and release a new set of Wiis with a new boot1, so the process would start again.

Well, actually, the trucha bug is simply the only public exploit avaiable, but behind the scenes, there is at least two more exploits not revealed (one from comex [NotDVDX] and one from Twizzers, used in the Hackmii Installer...)

But the problem is... Do either of those reside in boot1

Quote
TopGun96
But the problem is... Do either of those reside in boot1

This tends to be the problem. I would say Twiizers has an exploit that could work if they dig into it further, and comex's isn't an exploit that can write to the nand or fakesign, just run code (probably the exploit used in the Super Stack Smash Bros. video). My reasoning for this? Twiizers still installs the HBC somehow (on a similar note, if we were to disassemble the Hackmii installer, couldn't we figure out what the exploit is?)

EDIT: I noticed a flaw in what I said about comex's exploit. I meant that it could not be used to alter the NAND in such a way that would require fakesigning or something of the sort



Edited 1 time(s). Last edit at 08/15/2009 06:33AM by cactusjack901.

Yeah but isn't the hackmii installer copyrighted? Therefore you couldn't release it because it is twiizers code/exploit



Edited 1 time(s). Last edit at 08/15/2009 04:13AM by TopGun96.

Quote
TopGun96
Yeah but isn't the hackmii installer copyrighted? Therefore you couldn't release it because it is twiizers code/exploit

Well naturally, I'm just speaking on a theoretical level (I do that a lot)

Comex has an exploit? Do you mean the Smash bros one, or something else? And from what I've read, Twiizers exploit creates a trucha IOS somehow, and I'm not sure that would work in boot1.

Lol but I was just saying that we can't use twiizers's exploit without them letting us.